julie70773 [at] loverhearts.com Responded off-list to message on the list, spam with content that is not suitable for minors. It is possible subscribed under different address. IP of offending spam : Received: from mx2.loverhearts.com (mx2.loverhearts.com [45.55.128.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.domblogger.net (Postfix) with ESMTPS id C4871C5B for <alice at domblogger.net>; Tue, 25 Aug 2015 18:29:11 +0000 (UTC)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 25/08/15 20:39, Alice Wonder wrote:> julie70773 [at] loverhearts.com > > Responded off-list to message on the list, spam with content that > is not suitable for minors. > > It is possible subscribed under different address. > > IP of offending spam : > > Received: from mx2.loverhearts.com (mx2.loverhearts.com > [45.55.128.151]) (using TLSv1.2 with cipher > ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate > requested) by mail.domblogger.net (Postfix) with ESMTPS id > C4871C5B for <alice at domblogger.net>; Tue, 25 Aug 2015 18:29:11 > +0000 (UTC)Thanks for the notification, and for not having forwarded the mail to the list (which some people did on other lists ...) Please note that such user (or multiple ones from that domain) isn't/aren't subscribed to the list. In fact, I see a bunch of mails rejected at our level, from that domain, but from a *bunch* of different IP addresses, and so directly bounced back .. It seems someone/some bot is tracking the mail lists and answering to both the reply-to *and* the originator (but bounced by mailman, so no mail on the list[s]) Under investigation to see how to help stopping the flood, even if not originating from/passing through the centos.org servers ... - -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlXc2ZcACgkQnVkHo1a+xU7W/gCfTd0tV5qBHSwZ5WouyPCQ03kW WOoAn0DZmyLnPQ6lfntDKobMl/Wuoi++ =Hbhk -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 25/08/15 23:09, Fabian Arrotin wrote:> On 25/08/15 20:39, Alice Wonder wrote: >> julie70773 [at] loverhearts.com > >> Responded off-list to message on the list, spam with content >> that is not suitable for minors. > >> It is possible subscribed under different address. > >> IP of offending spam : > >> Received: from mx2.loverhearts.com (mx2.loverhearts.com >> [45.55.128.151]) (using TLSv1.2 with cipher >> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client >> certificate requested) by mail.domblogger.net (Postfix) with >> ESMTPS id C4871C5B for <alice at domblogger.net>; Tue, 25 Aug 2015 >> 18:29:11 +0000 (UTC) > > Thanks for the notification, and for not having forwarded the mail > to the list (which some people did on other lists ...) Please note > that such user (or multiple ones from that domain) isn't/aren't > subscribed to the list. In fact, I see a bunch of mails rejected at > our level, from that domain, but from a *bunch* of different IP > addresses, and so directly bounced back .. It seems someone/some > bot is tracking the mail lists and answering to both the reply-to > *and* the originator (but bounced by mailman, so no mail on the > list[s]) > > Under investigation to see how to help stopping the flood, even if > not originating from/passing through the centos.org servers ... >Just a quick status update : we've identified (from the mails bounced/rejected by our server) 14 IPs addresses used to send those mails. All those IPs are originating from DigitalOcean, so we reported the abuse so that they can investigate on their side. Cheers, - -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlXdWL0ACgkQnVkHo1a+xU4ylgCfcJcHdOw1vhUtmfUYiFWpefji yhcAnRChmlbYNG8efqx9uZZCrOWpqtD1 =VvHI -----END PGP SIGNATURE-----
On 08/26/2015 09:01 PM, Always Learning wrote:> I've blocked the spammer's host name (*.loverhearts.com) on my Exim. > Shouldn't your organisation, and others too, do the same or similar ?That is of course up to the individual organization. I use several DNSBLs, and I did not receive any of the spam. Actually, I've gotten more unwanted messages about the spam than actual spam from any source yesterday..... :-|> Otherwise what is to stop subsequent receipts of junk sent from MX > *.loverhearts.com ? >MX is intended to point to the server a domain uses to receive e-mail; the sending server for a domain does not have to be the MX. I set that up for one organization who was using an anti-spam service; the MX pointed to the anti-spam server, and the sending server was different and on that organization's own subnet. I believe gmail does this, using multiple MXs and a massive subnet full of sending servers. Gmail is not alone. Gmail even wreaks havoc with greylisting, since the send retry is not guaranteed to come from the same sending server as the initial try. I have gone down the road of blocking large subnets at the border router level; down this road lie false positives in spades.